EVERYDAY IS SOMEDAY Business Continuity Management An Internal Audit Perspective Tony Adame, CBCP Director of Consulting Services (949) 632-2649 Tony.Adame@RipcordSolutions.com January 14, 2015 1
A Brief Introduction Tony Adame Director Of Consulting Services Ripcord R esponsible for providing business continuity planning, emergency response planning, IT disaster recovery, and crisis management services to Ripcord clients. 20 years experience in BCM across many industries – both internal and external resource. Designed and led tabletop and hot-site exercises for numerous clients in numerous industries. F acilitated real-time Business Continuity, IT Security, and IT DR responses to major incidents. S tarted career as an Internal Auditor. 2 2
Two Quick Audit Stories 1993 Avco Financial Services 2012 an Unnamed Credit Union 3 3
Objectives for Today Why audits/assessments are initiated. Understand major areas of BCM programing that auditors (examiners) should be interested in reviewing. Outline various audit/compliance rules, regulations, guidelines available to investigative personnel. Discuss methods to gather information to examine. Better understand what auditors and regulators should be trying to accomplish by your assessment. Discuss ways to use an assessment to grow and mature the company’s resiliency programming. 4 4
A Show of Hands How many of your have completed an audit of a company’s BCM program? Of those, how many were anxious about how to build a scope and the eventual results? Did you feel competent and qualified to conduct the review (conversely did you have to learn what BCM was beforehand)? What was the best part of the review? What was your least favorite part of the process? Did any real good come out of it? 5 5
What Are the Threats We Face? 6 6
What Triggers an Audit R ecent Incident (local, regional, industry or company specific) NOTE : Beware of “rabbit holes” e.g., Black S wan events. Budget Analysis Board Level Interest (Audit Committee) R egulatory Compliance Known Weakness in One or More BCM Components Holding Company Directive New S enior Leadership Client or R egulator Inquiry BCM Coordinator Ask E xternal Auditor R equest Others?? 7 7
Various Rules, Regulations, Standards, & Guidelines IS O 22301 FFIE C – (Banking Compliance) PS Prep (Public Private R esiliency Certification) Dodd-Frank (Banking) S E C R ule 33-9089 (Corporate E nterprise Risk Mgmt) NCUA – Letter #8 (Credit Union) COBIT (IT Disaster R ecovery) ANS I/AR MA 5-2003 Vital R ecords Programs (R ecords Mgmt & R etention) HIP AA (Patient Privacy & R ecords R ecovery) California 8 CCR Section 3220 (E mergency R esponse) Joint Commission (Healthcare E mergency R esponse) NR S 463.790 (Nevada R esort and Casino E mergency R esponse) Calif. S B 1386 (Citizen Personal Privacy) 8 8
Business Continuity Management Business Continuity Management - 5 Components The advance preparations necessary to identify the impact of potential business interruptions; formulate recovery strategies; develop business continuity plans; and administer a training, exercise and maintenance process. The technological tenets of a business continuity program. Focus is on restoration, possibly at an alternate location, of data center services and computing capabilities. The ability to strategically manage an event including the internal and external communications necessary to protect corporate reputation and brand image. An organization's coordinated, effective and timely response to an emergency. The goal is to avoid or minimize injury to personnel and/or damage to company assets. The process to identify risk and quantify impact to the business (people, operations, finances etc.) 9 9
What You Should Want To Know Does senior management provide sufficient resources and oversight to the BCM Program? Is there integration between the various response BCM Governance and recovery plans (E R P , CM, IT DR & BCP)? & Oversight Is the BCM Coordinator qualified to oversee the Program? Have threats been identified and quantified? Risk What mechanisms are in place to mitigate threat Mgmt impacts? Are employees and facilities protected? ERP Can IT recover key infrastructure and application IT DR assets in a timely manner after an event? 10 10
What You Should Want To Know – cont’d Can executives communicate as a team? CMT Have mission-critical processes been identified? How long can the operations be down? BIA What are the financial, operational, reputational, and compliance impacts resulting from a disruption? What resources will be needed after an event? Are plans in place to continue operations absent BCP facilities, IT , key personnel &/or critical vendors/business partners? Have plans been exercised? Awareness & Exercises Do all pertinent personnel understand their role in the company’s resiliency efforts? Maintenance What long-term maintenance procedures exist? 11 11
Key Areas of Analysis R isk Assessment complete and current S r. Leadership, IT and business coordinated Communication (Identification, Notification, & E scalation) Current and approved BIA R TOs and R POs defined and quantified IT Gap Analysis available T actical E R P , CMT , IT DR & BCP integration & hand offs Growth & maturity over time 12 12
Focus on ISO 22301 : 2012 Developed by IS O/TC 223, S ocietal security . The committee is multi-disciplinary and involves participants from both the public and private sectors. The committee develops standards for the protection of society from, and in response to, incidents caused by intentional and unintentional human acts, natural hazards and technical failures. Its all-hazards perspective covers adaptive, proactive and reactive strategies in all phases before, during and after a disruptive incident. 13 13
Focus on ISO 22301 : 2012 Applies to all types and sizes of organizations that wish to: establish, implement, maintain and improve a BCM Program; assure conformity with the organization’s stated business continuity policy; demonstrate conformity to others; seek certification/registration of its BCM Program by an accredited third party certification body; or make a self-determination and self-declaration of conformity with this International S tandard. E mphasis on setting the objectives, monitoring performance and metrics. Clear expectations on management. Careful planning for and preparing the resources needed for ensuring business continuity. S tandard is made of ten “clauses” , seven of which are directly related to the proper development and maintenance of a BCM Program. 14 14
Main Clauses of ISO 22301 : 2012 Cl Clause 4 4 – Conte text t of of t the or organi ganization on (S copi oping) Understanding the organization, both internal and external needs, and setting clear boundaries for the scope of the management system. Understand the requirements of relevant interested parties, such as regulators, customers and staff. Understand the applicable legal and regulatory requirements. Cl Clause 5 – Leade adershi hip p Sets clear emphasis on the need for appropriate leadership of BCM relative to resource allocation and BCM policy. Cl Clause 6 6 – Planni ning g This requires the organization to identify risks to the implementation of the management system and set clear objectives and criteria that can be used to measure its success. Cl Clause 7 – S up uppor ort The day-to-day Program Management via competent resource(s) serving as staff with: relevant (and demonstrable) training, supporting services, awareness, and communication vehicles (both internal and external) focusing on format, content, and timing. Program supported by appropriately managed documented information policies and procedures governing creation, update and control of information. 15 15
Main Clauses of ISO 22301 : 2012 – cont’d Cl Clause 8 – Ope perations ns R isk Assessment identification, analysis, and evaluation of risk. Business Impact Analysis assessment and documentation of mission-critical processes inc. R TOs. Business R ecovery S trategy possible arrangements that will enable the organization to protect and recover critical activities. Business Continuity Procedures flexible and straight-forward, and includes Incident R esponse S tructure and communications methodologies. E xercises, T esting, and Maintenance processes of validating business continuity plans and procedures to align with selected strategies and capable of providing response and recovery results within agreed to timeframes. 16 16
Recommend
More recommend